-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow configurable time for ES output #921
Comments
An older discussion about this can be found here: https://github.com/elastic/libbeat/issues/318 It's a good time to close the older one and reference to this one here. Somehow related: #574 |
@markwalkom Is the goal to just make it possible to not have a pattern, or that the output would recognize different output patterns? Can you give some examples? |
Sure. Hourly, weekly, monthly indices. Not non-time based though.
|
That would mean it has the following logic (abstract code)
Would that work, assuming we can interpret common pattern with |
Looks OK. You can do this with LS, not sure how go handles it!
|
Would it be possible to have the index and pattern concatenation part also configurable, so that we could have indices like index_pattern, not only index-pattern? |
@gr0 you mean |
@markwalkom yes, so one could actually have the index pattern that matches the rest of the sources and not ending up with multiple index name patterns or having to modify the rest of the setup to include beats. For example, if would be nice, to be able to have patterns like [filebeat_]YYYY-MM-DD or [filebeat_]YYYY.MM.DD depending on the needs. Of course with some nice default if the user doesn't want to configure the pattern and just want beats to take care of that. What do you think? |
I'd vote for duplicating how logstash parses this option, at a minimum. |
As a reference here is the way LS does it: https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html#plugins-outputs-elasticsearch-index @UserNotFound You mention "at a minimum". What are the limitations for you with the LS approach? |
@ruflin I have not encountered any limitations, I would just like to be able to name all of my indexes consistently across my environment. |
@UserNotFound Ok. I was asking because if we implement this similar to LS it would be good to know if there are some limitations with the LS approach and we could improve on top of it. |
Just gave winlogbeat a try today since we are using Solarwinds LEM to gather Windows events. Looking forward for this enhancement to be implemented because:
|
@markwalkom Could this one help here? elastic/elasticsearch#17814 |
Yes, but only if the user uses the ingest node. On 27 April 2016 at 21:09, Nicolas Ruflin [email protected] wrote:
|
@markwalkom So either ingest node or LS can be used, so question is if this feature would still be needed on the beats side (if we not talk about older ES versions). |
But if you use direct to ES this still matters, so I think it's still a
|
There is now also a new "rollover" API which is also interesting here: https://www.elastic.co/guide/en/elasticsearch/reference/master/indices-rollover-index.html |
This transforms the fixed index into a pattern, somehow similar to how Logstash is doing it. However, logstash is using the Joda format, for which we don't have Go libraries. So instead of writing `filebeat-%{+YYYY.MM.dd}` you would need to write `filebeat-%{+2006.01.02}` (i.e. layout by example). Because the Go layouts don't support ISO 8601 weeks, in order to support weekly indices, the special `isoweek` keyword was introduced, which is the equivalent of Joda `xxxx.ww`. The layout `filebeat-%{+isoweek}` results in `filebeat-2016.29` for today. Part of elastic#2074. Closes elastic#921.
Implemented in #2119. |
Here we state;
But we don't allow the
YYYY.MM.DD
to be configurable.This isn't ideal as users cannot do anything but daily indices without putting Logstash in the pipeline.
The text was updated successfully, but these errors were encountered: